Setting up a SSL server that disconnects connections and executes commands

0

I am looking for suggestions on how to setup a simple SSL server that listens on a port and when a device connects, tell the device to disconnect, and then executes a command

Context: The device is an Amazon dash and when it connects the message is encrypted, but I don't care about the message.

I will be running this on an openwrt router

I read about using netcat and openssl s_server, but I would like feed back and suggestions on the best way to implement this.

Here is my current solution using netcat:

while true; do
    netcat -vv -l -p 443 -c < /www/default.html
    curl -X POST http://maker.ifttt.com/trigger/button_pressed/with/key/<MY KEY>
    sleep 5

done

Any thoughts on this solution?

Steven Feldman

Posted 2016-05-14T03:56:43.697

Reputation: 113

don't know about openwrt support, but you could write a service to send the disconnect, and connect stunnel to it on one end, and an arbitrary port on the other as your listener. writing a service however is a non-trivial task however. – Frank Thomas – 2016-05-14T04:20:27.313

can you recommend a good intro doc on setting one up? – Steven Feldman – 2016-05-14T06:59:42.753

OpenSSL has a basic server. You run it with openssl s_server, and the source code is in <openssl src dir>/apps/s_server.c. Stunnel for the SSL/TLS front-end is probably a good choice, too. The first thing you should probably make a decision on the architecture. – jww – 2016-05-19T04:49:26.193

Need a better title, 'cause this is far from Setting up a normal SSL server. – xpt – 2016-05-21T01:10:11.843

@xpt, probably, suggested new title? – Steven Feldman – 2016-05-21T20:54:37.410

@jww, I tried that but I could not get the certificates to work right. – Steven Feldman – 2016-05-21T20:55:14.940

Answers

1

I found these instructions for setting up SSL server to fool the dash button.

https://mpetroff.net/2015/05/amazon-dash-button-teardown/

(Look under comment by Mark, posted on August 9, 2015 at 5:39 pm)

He used a webserver from https://gist.github.com/jonathantneal/774e4b0b3d4d739cbc53

Using the information above, I was able to write my own SSL server. 

import BaseHTTPServer, SimpleHTTPServer, ssl

class MyHTTPHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(s):
        print 'GET', s.path

    def do_POST(s):
        print 'POST', s.path

if __name__ == "__main__":
    # Create the server, binding to localhost on port 443
    httpd = BaseHTTPServer.HTTPServer(('', 443), MyHTTPHandler)
    httpd.socket = ssl.wrap_socket (httpd.socket, certfile='cert.pem', server_side=True)
    httpd.serve_forever()

and I get outputs like:

POST /2/b
POST /2/d
POST /2/d
POST /2/d

The above is all from a single press. However, it isn't more useful than a generic TCP server that just handle an incoming connection. As there is no difference between single press, double press and a long press.

(It is quite likely that you need to fool the dash button to trust your self-signed certificate. This is what I did)

$ openssl req -x509 -newkey rsa:2048 -out cert.pem -nodes -keyout cert.pem
Generating a 2048 bit RSA private key
.................................................+++
..................................................................................................................+++
writing new private key to 'cert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:Amazon.com, Inc.
Common Name (e.g. server FQDN or YOUR name) []:parker-gateway-na.amazon.com
Email Address []:

some user

Posted 2016-05-14T03:56:43.697

Reputation: 2 022

Thanks! the fooling part was where I was having some trouble, I did not enter any information in when I made my certificate (I used defaults). I am also now reading up on dhcp-script as an alternative to even having a script – Steven Feldman – 2016-05-21T21:00:24.800

You are welcome. To be honest, I never thought it would work until I saw the post by Mark. Pretty lousy security if you ask me. – some user – 2016-05-21T21:07:12.053

I recently ordered another dash button and I found out that the above solution no longer works. First of all, the address has changed to dash-button-na.amazon.com. But then, Amazon seems to have wised up and check for signing authority. Even worse, dash button will not initiate connection to server if it is within the same subnet as the dash button. – some user – 2016-05-24T04:25:44.467

Asked: 2016-05-14T03:56:43.697

Viewed: 358 times

Active: 2016-05-22T05:31:52.467